As the satellite industry faces evolving security threats from nation-states, criminals, and other rogue entities, using the right strategies to manage security is of utmost importance to all stakeholders, from antenna manufacturers to network operators. As a September 2016 report from Chatham House noted, the huge amount of data disseminated through satellites makes it possible for criminals to corrupt accuracy and reliability with a low probability of discovery.
At SATELLITE 2017’s “CyberSecurity Roundtable: Collaborating with Your Satcom Customer” session on Wednesday morning, speakers from Inmarsat Global, Hughes, ViaSat, iDirect, and ITC Global addressed the most pressing concerns surrounding security, and offered timely ideas on how to improve existing practices.
Speakers acknowledged that while no security solution is 100 percent secure, a shared interest in established security principles can help everyone. In turn, collaboration will become especially important in coming years.
“Security, stability, and resiliency are essential at Inmarsat, and I think you see that across the satellite industry,” said Donna Bethea-Murphy, senior vice president of global regulatory at Inmarsat Global. “We see ourselves going into the internet of things; but the more we integrate the more vulnerabilities we see.”
Andy Tomaszewski, vice president of advanced programs at iDirect, said his organization has had to boost its risk-management efforts, and today employs multiple strategies, such as using third-parties to test networks, tasking a rapid-response team with addressing issues the moment they emerge, and enhanced monitoring. iDirect also uses Dark Web Forums to gather information, while relying on law enforcement to guide its actions.
Because threat actors appear “up and down” the supply chain, sharing information with partners is critical; when iDirect receives threats from actors such as nation-states, it publishes those to the technology community (so experts can analyze malware) with the intent of helping others. “The sharing of information is critical,” he said. “We need to communication up and down the supply chain.”
Craig Miller, CTO of ViaSat’s Government Systems Division, said his organization also takes a “holistic approach” to security, which enables rapid response to threats. “We have a wide arrange of customers on our network, which leads to a wide array of threats on our network,” he said.
Miller also noted that because customers’ security needs and expectations may vary dramatically, the satellite industry is under pressure to offer even more innovative — and sometimes highly customized — approaches to managing security threats. To better address its customers’ needs, ViaSat now uses a built-in threat-management system that allows for prompt incident reporting, and the collection and sharing of threat intelligence data. As a result, ViaSat is able to provide patches and fixes within a short time frame.
Chris Hill, CTO of ITC Global, suggested that managing different customers with different needs and in-house expertise can be challenging.
“Some [organizations] have security specification guidelines that are 60 pages long, while others don’t have anything at all,” said Hill. “Yet some of those 60-page guidelines don’t have to do with satellites, so we have to fill in the blanks. You have a spectrum of clients with different requirements, commercial airlines with ISO standards, government customers with other standards … you have to employ mechanisms with all those needs.”
Specifically, it can be tricky to navigate conversations with organizations in different industries (e.g., mining, gas, maritime), because they just want their communications technology to work without having to adapt to security conversations, he said.
“Some customers know nothing about internet security — they just want their email to work,” said Hill, adding that when he first entered the satellite industry years ago, security concerns weren’t top of mind. “So we have to bring the [security] conversation to them. So the skill set that’s required has really evolved.”
Tomaszewski agreed, noting that there isn’t a one-size-fits-all solution for all of iDirect’s commercial customers. “Some of the end customers are geologists who want to do their jobs,” while others can articulate exactly what they want, he added.
But when customers don’t respond to your ideas for enhancing security, sometimes there’s nothing you can do. Or, as David Henning, network security director for Hughes, put it, “you can lead a horse to water, but if they don’t drink, what are you going to do?”
Hughes provides solutions for enterprises of all sizes, serving as a managed network services provider, and offers a variety of network security solutions in its portfolio. Because many the organization’s clients are in the Payment Card Industry (PCI), helping those organizations protect data, and adhere to PCI Compliance standards, is one of his chief concerns.
“This has been the main business driver for a lot of the security features we’ve built,” said Henning. Today, Hughes offers a suite of risk-management services, including cybersecurity monitoring, IDS/IPS antivirus security, and content filtering, within its portfolio of products and services. When asked whether there are impediments for information sharing between one company and the next in terms of information sharing, Henning said he also favored an open approach, where satellite industry players are exchanging information they have so they can better defend their interests against hackers and other threats.
“From my perspective, I don’t think there should be anything from an information security perspective that we should hold off,” said Henning. “All of the security [solutions are] based on industry standards and government standards, and industry best practices. If you’re following those, you’re doing what should be done.”
For Bethea-Murphy, openly communicating about risks and solutions can help prevent attacks. Therefore, she supports an open-door atmosphere that encourages partners to participate in the process of discussing and adjusting policies.
“Our industry is responding to ensure stability [and] we do this with communications,” said Bethea-Murphy. “We have to talk to one another on every level. We see the challenge of cybersecurity as a holistic approach. As threats evolve it’s important for a company’s risk management policies to evolve.” VS